rdb-accessing-windows-integrated-login-RQL.png

rdb: Accessing the Windows Integrated login system from RQL

As you may well know you can configure your CMS to utilise Windows Integrated login. This SSO process will take the login credentials supplied by your browser and use them to automatically log you into the CMS.  Works out of the box in IE when you’re in the Intranet Zone, and can also be made to work in other zones too.

Let’s say you have your CMS setup with this feature, and you have some RQL that you use that runs outside of the normal plug-in architecture.  Not particularly uncommon, we have lots of it, but in this scenario you need to use RQL login commands before you can do anything productive.

If this has happened to you the first place you have looked is the RDCMS.log file to see what the CMS does to perform an integrated login, and this is what you would have found:

 RQL 
<IODATA>
  <ADMINISTRATION action="login" languageid="" sessionid="12345678" useragent="Mozilla/4.0
  compatible; MSIE 8.0; Windows NT 6.1; WOW64; *snip*)" loginkey="" reddottop="top" loginguid=""
  cmsusertoken="35hTKS+8pAmt/79gtpCn2agMB8iCrDtoR0pqTEKBWSA="
  cmsvalidationkey="3546593841743767706E614D1234566F30714542533D" ssohandlerguid=""
  name="" password="********"></ADMINISTRATION>
</IODATA>

Exciting, isn’t it!  Except that I have worked out where the cmsusertoken and cmsvalidationkey attributes come from, and trust me when I say you can’t make them yourself.
 

So what now? Glad you asked.

I created a dead simple plug-in asp page that looks like this:

 ASP vb.NET 
<%
dim oWinAuth, sUserToken, sKey
Set oWinAuth = CreateObject("RDCMSWinAuth.RDWinAuth")
sUserToken = oWinAuth.getUserToken(sKey)
Set oWinAuth = Nothing
Response.Write sUserToken & "|" & sKey
%>

which simply returns the cmsusertoken and cmsvalidationkey attributes in pipe separated format, that can then be plugged into your RQL.  Note this only works if the process executing the web page call has an integrated login account in the CMS and you have to call it each time you want to log in because the values have a built-in expiry system.  The name and password attributes are not required, and you should pass “script” as the value for the useragent attribute.

In my .Net app I simply call it like this:

  ASP vb.NET 
string ret = new WebClient().DownloadString( pluginUri );

then parse out the result.